CVE-2015-1832
published 2016-10-03CVE-2015-1832: XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows…
PriorityP354critical9.1CVSS 3.0
AVNACLPRNUINSUCHINAH
EPSS
12.17%
95.6th percentile
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | — | — |
| apache | derby | >= 0 < 10.13.1.1-1 | 10.13.1.1-1 |
| apache | derby | >= 0 < 10.13.1.1-1 | 10.13.1.1-1 |
| apache | derby | >= 0 < 10.13.1.1-1 | 10.13.1.1-1 |
| apache | derby | >= 0 < 10.13.1.1-1 | 10.13.1.1-1 |
| debian | derby | < derby 10.13.1.1-1 (bookworm) | derby 10.13.1.1-1 (bookworm) |
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_oracle9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Restriction of XML External Entity Reference in Apace Derby
osv·2022-05-13
CVE-2015-1832 [CRITICAL] Improper Restriction of XML External Entity Reference in Apace Derby
Improper Restriction of XML External Entity Reference in Apace Derby
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
GHSA
Improper Restriction of XML External Entity Reference in Apace Derby
ghsa·2022-05-13
CVE-2015-1832 [CRITICAL] CWE-611 Improper Restriction of XML External Entity Reference in Apace Derby
Improper Restriction of XML External Entity Reference in Apace Derby
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
OSV
CVE-2015-1832: XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10
osv·2016-10-03·CVSS 9.1
CVE-2015-1832 [CRITICAL] CVE-2015-1832: XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Platform (Apache Derby) — CVE-2015-1832
vendor_oracle·2020-10-15·CVSS 9.1
CVE-2015-1832 [CRITICAL] Oracle Oracle Construction and Engineering Risk Matrix: Platform (Apache Derby) — CVE-2015-1832
Oracle Oracle Construction and Engineering Risk Matrix: Platform (Apache Derby) vulnerability
CVE: CVE-2015-1832
CVSS: 9.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2020 (OCT 2020)
Oracle
Oracle Oracle Knowledge Risk Matrix: Web Applications - InfoCenter (Apache Derby) — CVE-2015-1832
vendor_oracle·2020-04-15·CVSS 9.1
CVE-2015-1832 [CRITICAL] Oracle Oracle Knowledge Risk Matrix: Web Applications - InfoCenter (Apache Derby) — CVE-2015-1832
Oracle Oracle Knowledge Risk Matrix: Web Applications - InfoCenter (Apache Derby) vulnerability
CVE: CVE-2015-1832
CVSS: 9.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2020 (APR 2020)
Red Hat
Derby: XXE attack possible by using XmlVTI and the XML datatype
vendor_redhat·2015-07-17·CVSS 9.1
CVE-2015-1832 [CRITICAL] CWE-611 Derby: XXE attack possible by using XmlVTI and the XML datatype
Derby: XXE attack possible by using XmlVTI and the XML datatype
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Package: derby (Red Hat BPM Suite 6) - Not affected
Package: derby (Red Hat JBoss BRMS 6) - Not affected
Package: derby (Red Hat JBoss Fuse 6) - Not affected
Debian
CVE-2015-1832: derby - XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby b...
vendor_debian·2015·CVSS 9.1
CVE-2015-1832 [CRITICAL] CVE-2015-1832: derby - XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby b...
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Scope: local
bookworm: resolved (fixed in 10.13.1.1-1)
bullseye: resolved (fixed in 10.13.1.1-1)
forky: resolved (fixed in 10.13.1.1-1)
sid: resolved (fixed in 10.13.1.1-1)
trixie: resolved (fixed in 10.13.1.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-1832 Apache Derby: XXE attack possible by using XmlVTI and the XML datatype [fedora-all]
bugzilla·2016-10-04·CVSS 9.1
CVE-2015-1832 [CRITICAL] CVE-2015-1832 Apache Derby: XXE attack possible by using XmlVTI and the XML datatype [fedora-all]
CVE-2015-1832 Apache Derby: XXE attack possible by using XmlVTI and the XML datatype [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2015-1832 Apache Derby: XXE attack possible by using XmlVTI and the XML datatype
bugzilla·2016-10-04·CVSS 9.1
CVE-2015-1832 [CRITICAL] CVE-2015-1832 Apache Derby: XXE attack possible by using XmlVTI and the XML datatype
CVE-2015-1832 Apache Derby: XXE attack possible by using XmlVTI and the XML datatype
Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.
Upstream bug:
https://issues.apache.org/jira/browse/DERBY-6807
Upstream patch:
https://svn.apache.org/viewvc?view=revision&revision=1691461
Discussion:
Created derby tracking bugs for this issue:
Affects: fedora-all [bug 1381475]
http://www-01.ibm.com/support/docview.wss?uid=swg21990100http://www.securityfocus.com/bid/93132https://issues.apache.org/jira/browse/DERBY-6807https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Ehttps://svn.apache.org/viewvc?view=revision&revision=1691461https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21990100http://www.securityfocus.com/bid/93132https://issues.apache.org/jira/browse/DERBY-6807https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Ehttps://svn.apache.org/viewvc?view=revision&revision=1691461https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
2016-10-03
Published